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© A cryptographic system based on information difference. 



© The cryptographic system is comprised of two 
stations A and B in which a respective string S A and 
S B of digits is stored. In station A an error-control 
information string C is generated from string S A and 
transmitted to station B over an error-free public 
channel CHI. In station B a particular string D and a 
decision bit F are generated. String D maximizes a 
predetermined reliability function of a string com- 
bination {$ B ,C,D). Decision bit F is assigned the 
value 1 if and only if a maximum value taken on by 
the reliability function is greater than a predeter- 
mined threshold. Decision bit F is transmitted to 
station A over an error-free public channel CH2. In 
both stations A and B, the respective strings S A and 



$ B are tagged as accepted when said decision bit F 
has the value 1. The above sequence is repeated, 
resulting in a .plurality of tagged strings which are 
concatenated at stations A and B to result in a 
random cipher key shared by the stations A and B. 

The predetermined reliability function can be 
defined as a conditional probability P- 
(§ A - 0|3b = S B £= Q that a random variable cor- 
responding to string S A is equal to string D, given the 
conditions that a random variable §e corresponding 
to string S B is equal to that latter string S B and a 
random variable S corresponding to the error-control 
information string £ is equal to that. latter string C. 
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The present invention relates to cryptographic 
systems, and more particularly to a method of 
generating a cipher key based on information dif- 
ference in a cryptographic system and to a cryp- 
tographic system for performing this method. 

Cryptographic systems are widely used to en- 
sure the privacy and authenticity of messages 
transmitted over insecure communication channels 
such as public telephone lines. They are heavily 
relied on in military, diplomatic and business com- 
munications of information, including voice, picture 
and text data, and for identification purposes. 

One type of cryptographic system, generally 
known as a privacy cryptosystem, prevents the 
extraction of information by unauthorized parties 
from messages transmitted over an insecure com- 
munication channel, thus assuring a transmitter that 
a message being transmitted is read only by an 
intended receiver. 

A conventional type of privacy cryptosystem 
allows a transmitter to transmit a plaintext message 
over, for instance, a telephone line to a receiver. At 
the transmitters site, an encryption device encodes 
with a secret key the plaintext message into a 
ciphertext message which is then transmitted. At 
the receiver's site, a decryption device decodes 
the ciphertext message by means of the same 
secret key back into the plaintext message. Given 
the secret key, the transformations on the message 
can be performed, whereas they cannot be per- 
formed without knowledge of the secret key, to the 
present state of mathematical knowledge, even with 
the most powerful computers known. Thus, for an 
eavesdropper who wants to decipher the message 
and yet is assumed to have no information about 
the secret key, it is infeasible to determine the 
plaintext message corresponding to a given cipher- 
text or to determine the secret key even if he were 
given matching plaintext/ciphertext pairs. 

A problem inherent to this conventional type of 
privacy cryptosystem is that it requires the distribu- 
tion of secret keys to the communicating parties. 
This is often done over a secure channel such as 
priority mail, or in advance by a trusted courier, 
which has the drawback of being expensive and 
may even be impossible, as in many military ap- 
plications. 

While in theory it is possible for an eavesdrop- 
per to break this conventional type of privacy cryp- 
tosystem, for instance by an exhaustive key 
search, this is completely infeasible if the key is 
sufficiently long (e.g., a string of 100 random bits). 
However, none of the presently used privacy cryp- 
tosystems is such that the computational security 
can be proved, i.e. no rigorous proof can be given 
in any of these cryptosystems that there exists no 
essentially faster way of breaking the cipher than 
by an exhaustive key search in which the cryp- 



tanalyst tries all possible keys to decipher the 
given ciphertext until the resulting decrypted 
ciphertext is one that makes sense, for instance by 
representing plain English text. When the amount 

5 of ciphertext is reasonably large, only one key will 
produce a valid plaintext message, which then also 
is the correct plaintext message. 

In 1949, Shannon proved that ciphers can be 
built which are impossible to break, even for an 

10 eavesdropper with unrestricted computing power 
(cf. C.E. Shannon, "Communication theory of se- 
crecy systems", Bell Syst. Tech. J., vol. 28, Oct. 
1949, pp. 656-715). Such ciphers are called un- 
conditionally secure. There is a simple explanation 

75 of how such unconditional security can be 
achieved: even if the eavesdropper uses all possi- 
ble keys to decipher the message, all the resulting 
plaintexts are valid plaintexts and thus it is impos- 
sible for the eavesdropper to choose the correct 

20 one among them. 

A well-known example of unconditionally se- 
cure cipher is the so-called one-time pad originally 
proposed by Vernam (G.S. Vernam, "Cipher print- 
ing telegraph systems for secret wire and radio 

25 telegraphic communications", J. Amer. Inst. Elec. 
Eng., vol. 55, 1926, pp. 109-115). In this kind of 
cipher, a completely random string of the same 
length as the plaintext is used as the secret key, 
and the ciphertext is obtained by adding bit by bit 

30 modulo 2 the bit sequences of the plaintext and 
key strings, addition modulo 2 being defined by the 
rules 0 + 0 = 0:0 + 1=1; 1+0 = 1; 1+1=0. The one- 
time pad achieves perfect security in the sense 
that the eavesdropper's optimal strategy for deter- 

35 mining the plaintext is provably independent of the 
ciphertext, in other words, the ciphertext is statisti- 
cally independent of the plaintext. 

A drawback of unconditionally secure ciphers 
is that the secret key used to encipher a plaintext 

40 must be at least as long as the total amount of said 
plaintext, as has been proved by Shannon. This 
secret key must be distributed in advance by some 
secure means, and in most applications it is com- 
pletely impractical to use such long secret keys. 

45 Shannon's analysis of unconditionally secure 

ciphers and the proof concerning the minimum 
amount of secret key required to achieve the de- 
scribed type of unconditional security is based on 
the assumption that error-free communication 

so channels are used, i.e. that the legitimate receiver 
as well as the eavesdropper receive an exact copy 
of the ciphertext message transmitted by the trans- 
mitter. However, transmissions over communication 
channels used in real telecommunications are sub- 

55 ject to distortion by noise, i.e., the received signal 
is not identical to the transmitted signal. By provid- 
ing sufficient redundancy in the transmitted signal, 
for instance by transmitting each signal several 
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times or by using error-correcting codes, a channel 
can be made virtually error-free. More precisely, 
transmitted messages can be taken from a finite 
set of possible messages and then, with an ar- 
bitrarily small probability of making a wrong de- 
cision, the receiver can decide which message was 
transmitted. Examples of such channels are com- 
puter network links. For every channel, the amount 
of information which can reliably be transmitted in 
a given time interval is characterized by the capac- 
ity of the channel and is finite (see R.G. Gallager, 
"Information theory and reliable communications", 
New York: John Wiley, 1968, for a definition of 
channel capacity). It should be noted that although 
many communication channels, for instance com- 
puter data links, appear to their users to be virtually 
error-free, the underlying unprotected channel is 
not error-free. 

By way of example, let a channel be consid- 
ered whose input and output both are binary, i.e. 
either 0 or 1. Let the error probability of the chan- 
nel be 10 %, i.e. there is a probability of 10 % that 
a transmitted 0 is flipped into a 1 at the receiver, 
and similarly, there is a probability of 10 % that a 
transmitted 1 is flipped into a 0. A very simple 
method of increasing the reliability of communica- 
tions over such a channel is to transmit every bit 
several times, for instance 7 times. In this instance, 
after receiving 7 bits, which need not be identical 
because errors may have occurred on the channel, 
the receiver will make a majority decision, i.e. the 
receiver decides that the bit actually transmitted is 
the bit that is contained 4 or more times in the set 
of 7 received bits. It can be shown that the bit-error 
probability is reduced from 10 % to 0.43 % by 
means of this very simple error-correcting code. 

An error-correcting {n,k) block code is a trans- 
formation which assigns to every information word 
of length k a code word of length a?, wherein the 
information word and code word digits are taken 
from some finite alphabets. Most often the two 
alphabets are identical and n>k. When the al- 
phabet is the set {0,1} the code is called a binary 
code. A very important class of error-correcting 
codes is comprised of so-called linear codes in 
which every code word digit is a linear combination 
of the information word digits. Addition of binary 
digits is performed modulo 2 as defined above. 
Thus, the sum of several bits is equal to 1 if and 
only if the number of ones among the summed 
terms is odd, else the sum is equal to 0. A particu- 
lar and important class of linear codes is com- 
prised of so-called systematic codes for which the 
code word is the information word together with an 
appended sequence of n-k parity check bits. By 
way of example, a linear systematic (7,3) code is 
one which encodes an information word [X1.X2.X3] 
into the code word 



[xi ,x 2 ,x 3 ,Xi +x 2 ,Xi +x 3 ,x 2 +x 3 ,xi +x 2 +x 3 ], i.e., the 
parity check bits consist of all combinations of 2 or 
3 information word bits. For instance, when the 
code is binary the code word assigned to the 

5 information word 101 is 1011010. 

As mentioned above, the information and code 
word digits can be taken from any finite set of 
digits, e.g. the set {0,1,2,3,4,5,6}, although the 
most often used codes are binary. In the general 

70 case, the addition operation for adding two ele- 
ments of the taken set must be defined. Usually, 
this is the addition operation of a finite mathemat- 
ical group corresponding to the taken set, and then, 
a linear combination of digits can be defined as the 

75 sum of elements of a subset of the taken set, 
where every subset corresponds to a different lin- 
ear combination. It is generally accepted and 
should be noted that, in this context, the taken set 
itself also is one of said subsets, i.e. the linear 

20 combination of digits may be the sum of some or 
alt elements of the taken set. In the above example 
of the set {0,1 ,2,3,4,5,6} the addition operation can 
be defined as addition modulo 7, so that for in- 
stance 1+4 = 5; 3 + 6 = 2; 5 + 3 + 4 + 6 = 4; etc., and 

25 a linear combination of digits is an addition modulo 
7 thereof. 

Many communication channels, in particular 
satellite and radio communication channels, have 
the property that not only a legitimate receiver but 

30 also any other receiver within a certain range can 
receive the transmitted signal. However, the noise 
which corrupts the received signals is different for 
every receiver. The thermal noise within a receiver 
is statistically independent of that of the other re- 

35 ceivers. and the noise introduced by the actual 
transmission (e.g. the atmospheric noise) is, to a 
certain degree, also independent for different re- 
ceivers. The received signal power and thus the 
quality of the received signal depends on the loca- 

40 tion of the receiver with respect to the transmitter 
and decreases with the square of the distance of 
the receiver to the transmitter. 

A communication channel with one transmitter 
but possibly several receivers each having a dif- 

45 ferent respective noise is called a broadcast chan- 
nel. When a system is designed to allow error-free 
communication between the transmitter and a le- 
gitimate receiver, then also another receiver can 
receive the transmitted information reliably, as long 

50 as its signal-to-noise power ratio is at least equal to 
that of the legitimate receiver. On the other hand, 
when the eavesdropper's noise is stronger he may 
not be able to make a reliable decision about the 
transmitted message even when the legitimate re- 

55 ceiver can. Thus, when in a cryptographic commu- 
nication system the eavesdropper's channel is 
worse than the legitimate receiver's channel, then it 
is possible to transmit information securely regard- 
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less of the eavesdropper's computing power and 
manpower. This fact was first pointed out by 
Wyner (see A.D. Wyner, "The wire-tap channel", 
Bell Syst. Tech. J., vol. 54, Oct. 1975, no. 8, pp. 
1355-1387). The intuitively obvious fact that such 5 
secure communication is possible if and only if the 
eavesdropper's channel is worse was proved by 
Csiszar and Korner (see I. CsiszaV and J. Korner, 
"Broadcast channels with confidential messages", 
IEEE Trans, on Info. The., vol. IT-24, no. 3, May io 
1 978, pp. 339-348). 

However, in most cryptographic scenarios it is 
unrealistic and very dangerous to assume that the 
eavesdropper's channel is worse than the legiti- 
mate receiver's channel. For instance, it is dan- 15 
gerous to assume that the eavesdropper's receiv- 
ing antenna is smaller than the legitimate receiver's 
antenna. However, it may be reasonable to assume 
that the ratio of the eavesdropper's antenna to the 
legitimate receiver's antenna is not greater than 20 
some number, e.g. 10 or 100. 

It is an object of the present invention to exploit 
the availability of noisy channels in order to 
achieve unconditional cryptographic security. 

More particularly, it is an object of the present 25 
invention to exploit the availability of noisy chan- 
nels in order to achieve unconditional cryptograph- 
ic security in a cryptographic system in which 
secret communication is possible even when the 
eavesdropper's channel is better (i.e. less noisy) 30 
than the legitimate receiver's channel. 

Still more particularly, it is an object of the 
present invention to exploit the availability of differ- 
ences occurring between the legitimate receiver's 
and the eavesdropper's received versions of one 35 
and the same transmitted random string, due to 
noise differences on the respective transmission 
channels, in order to achieve unconditional cryp- 
tographic security in a cryptographic system in 
which secret communication is possible even when 40 
the eavesdropper's channel is better (i.e. less 
noisy) than the legitimate receiver's channel. 

To attain these objects and others which will 
appear from the description of the invention given 
hereinafter, the invention provides a method of 45 
generating a cipher key based on information dif- 
ference in a cryptographic system, as defined in 
claim 1 , and a cryptographic system for performing 
said method, as defined in claim 22. Preferred 
embodiments of the method and the system ac- so 
cording to the invention are defined in the appen- 
ded claims. 

The present invention is based on the use of 
error-free public communication channels over 
which two parties can transmit information to each 55 
other. Since no assumption is made about the 
privacy of these channels and the eavesdropper is 
allowed to perfectly intercept all communication on 



these channels, their use does not restrict the 
practicality or reduce the security of the system. 
These channels each may be any conventional 
communication channel (e.g. a telephone line or a 
radio channel) which are appropriately error-pro- 
tected by using error-correcting techniques, but 
which need not be protected against eavesdrop- 
ping. 

The present invention does not contradict the 
teaching of Csiszar and Korner because their 
teaching only holds for a system in which commu- 
nication takes place in one single direction, which 
clearly is in contradistinction to the present inven- 
tion. 

It also should be noted that the invention can 
be applied in any situation in which two parties 
each have stored a string of digits, which strings 
are known to be statistically dependent on each 
other, i.e. to provide information about each other. 

One exemplary situation in which the two par- 
ties may possess such strings is after a noisy 
broadcast channel has been used to transmit a 
random string from one party to the other. Let a 
party A transmit a random string to a party B in 
such manner that the string received by party B is 
a noisy version of the string transmitted by party A. 
An eavesdropper E receives a different noisy ver- 
sion of the same random string transmitted by 
party A. The present invention provides a method 
for A and B to exploit the availability of such two 
correlated strings (i.e. strings statistically depen- 
dent on each other), even if Ps string is, compared 
to 0*s string, a less noisy version of A's string, and 
even if also Ps string is, compared to As string, a 
less noisy version of ffs string. 

According to the present invention, which con- 
templates a method of generating a cipher key 
based on information difference in a cryptographic 
system comprised of at least a first and a second 
cryptography station, said method comprises the 
steps of 

- storing, in said first and second stations 
(A t B), a respective string (S Al S B ) of digits 
selected from a finite alphabet, 

- in said first station (A), generating an error- 
control information string (C) from the respec- 
tive string (S A ) stored in said first station (A), 

- transmitting said error-control information 
string (C) from said first station (A) to said 
second station (B) over an error-free public 
channel CH1, 

- in said second station (B), generating a par- 
ticular string (D) and a decision bit (F) repre- 
sentative of a reliability estimate, said particu- 
lar string (D) being that string which maxi- 
mizes a predetermined reliability function of a 
string combination (S S ,C,D) consisting of said 
string (S B ) stored in said second station (B) t 
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said error-control information string (C) and 
said particular string (0), and said decision bit 
(F) being assigned the value 1 if and only if, 
when said predetermined reliability function is 
maximized as said above, a maximum value 
taken on by said predetermined reliability 
function is greater than a predetermined 
threshold, said decision bit (F) else being 
assigned the value 0, 

- transmitting said value of said decision bit 
(F) from said second station (fl) to said first 
station {A) over an error-free public channel 
CH2, 

- in said first and second stations (A,B), tag- 
ging as accepted said respective strings 
(S A ,S B ) stored in said first and second sta- 
tions (A,B) when said decision bit (F) has the 
value 1, 

- performing the above sequence of steps a 
predetermined number of times to result in a 
corresponding plurality of tagged strings, and 

- at said first and second stations (A,B) t con- 
catenating said tagged strings (S A ,S B ) to re- 
sult in a random cipher key shared by said 
first and second stations (A,B). 

According to the present invention, the follow- 
ing embodiments may be preferred. 

Said predetermined reliability function may be 
defined as a conditional probability P- 
($ A = D\'$ B = S B ,'£=C) that a random variable ($ A ) 
corresponding to said string (S A ) stored in said first 
station (A) is equal to said particular string (D), 
given the conditions that a random variable (S s ) 
corresponding to said string (S B ) stored in said 
second station (B) is equal to that latter string (S s ) 
and a random variable (6) corresponding to said 
error-control information string (C) is equal to that 
latter string (C). 

In said first station {A) t a random string (R) may 
be generated and then a concatenation is per- 
formed on said string (S A ) stored in said first station 
{A) and said random string {R) to result in a concat- 
enated string (S A #R) which is substituted for said 
string (S A ) stored in said first station (A) when said 
error-control information string (C) is generated, so 
that said error-control information string (Q is gen- 
erated from said concatenated string {S A #R). 

In the latter case, said predetermined reliability 
function is defined as a conditional probability P- 
(§ A #fl = D|5B = Ss,S=C) that a random variable 
($ A #R) corresponding to said concatenated string 
{S A #R) stored in said first station (>A) is equal to 
said particular string (D), given the conditions that a 
random variable (§ B ) corresponding to said string 
(S B ) stored in said second station (B) is equal to 
that latter string (S B ) and a random variable (S) 
corresponding to said error-control information 
string (C) is equal to that latter string (C), and said 



decision bit (F) is assigned the value 1 if and only 
if said conditional probability P- 
(5 A #ft = D\$ B = S B ,(5 = Q is greater than a predeter- 
mined threshold. 

5 In the latter case, said error-control information 

string (C) may be generated by first encoding said 
random string (R) to result in an encoded string 
and then adding digit by digit said encoded string 
and said string (S A ) stored in said first station {A) t 

10 and said predetermined reliability function is de- 
fined as a conditional probability P- 
(R=D\$ B = S s ,£= C) that a random variable (ft) cor- 
responding to said random string (R) is equal to 
said particular string (0), given the condition that a 

75 random variable (S B ) corresponding to said string 
(S B ) stored in said second station (B) is equal to 
that latter string (S e ) and a random variable (£) 
corresponding to said error-control information 
string (C) is equal to that latter string (C). 

20 When said decision bit (F) has the value 1, a 

string compression may be performed in said first 
station {A) on said string (S A ) stored therein to 
result in a first compressed string (G A ) which is 
then stored in said first station (A). 

25 In the latter case, the sequence of steps may 

be repeated at least once, and in said repeated 
sequence said predetermined reliability function is 
defined as a conditional probability P- 
(S A = D|3s = 5e,&= C) that a random variable (6 A ) 

30 corresponding to said first compressed string (G A ) 
is equal to said particular string (0), given the 
condition that a random variable (§ B ) corresponding 
to said string (S B ) stored in said second station (B) 
is equal to that latter string (S B ) and a random 

35 variable (6) corresponding to said error-control in- 
formation string (C) is equal to that latter string (Q. 
When said decision bit (F) has the value 1 , a string 
compression also may be performed in said sec- 
ond station (B) on said particular string (D) to result 

40 in a second compressed string (G B ) which is then 
stored in said second station (B). 

In the latter case, identical string compressions 
may be performed in said first station {A) on said 
string {S A ) stored therein to result in a first com- 

45 pressed string (G A ) which is then stored in said first 
station (A) and in said second station (fl) on said 
particular string (0) to result in a second com- 
pressed string (G s ) which is then stored in said 
second station (B). 

50 Again, when said decision bit (F) has the value 

1, identical string compressions may be performed 
in said first station (A) on random string (R) to 
result in a first compressed string (G A ) which is 
then stored in said first station (A) and in said 

55 second station (B) on said particular string (0) to 
result in a second compressed string (G s ) which is 
then stored in said second station (£7). 

Compression of a string of digits may be de- 
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fined as generating a compressed string consisting 
of digits, each of which is a linear combination of 
digits of said string subjected to compression. 

Said error-control information string (C) may be 
generated as a string consisting of digits, each of 
which is a linear combination of digits of said string 
(S A ) stored in said first station (A). 

All strings may be binary strings consisting of 
a set of bits. 

A linear combination of digits may be defined 
as a sum modulo 2 of the bits comprised in a 
subset of said set of bits. 

In the latter case, both said strings (S At S B ) 
respectively stored in said first and second stations 
(A t B) may have a predetermined number N of bits, 
said error-control information string (C) consists of 
a number N-1 of parity check bits, and compres- 
sion of a string is defined as replacing the latter 
string by a single bit which results from said linear 
combination being applied to all bits of the latter 
string. 

In the latter case, said decision bit (F) may be 
assigned the value 1 when said error-control in- 
formation string (C) received in said second station 
(S) is equal to an auxiliary error-control information 
string (C) computed in said second station (fl) for 
said string (S B ) stored in said second station (B) in 
the same manner as said error-control information 
string (C) is computed in said first station (A) for 
said string {S A ) stored in said first station (A). 

The sequence of steps may be performed a 
predetermined number of times in succession. 

In the latter case, each of said strings (S A ,S B ) 
respectively stored in said first and second stations 
(A,B) may be a result of a previously performed 
sequence of steps. 

In the latter case, each of said strings (S A ,S B ) 
respectively stored in said first and second stations 
(A t B) may be a result (G A ,G B ) of a previously per- 
formed sequence of steps including a string com- 
pression performed in said first station (A) on said 
string ($ A or R) stored therein to result in a first 
compressed string {G A ) which is then stored in said 
first station (A) and in said second station {B) on 
said particular string (D) to result in a second 
compressed string (G B ) which is then stored in said 
second station (B). 

Said first and second stations (A t B) may ex- 
change their respective roles when the sequence of 
steps is repeated. 

The sequence of steps may be simultaneously 
performed a predetermined number of times in 
parallel, resulting in a same predetermined number 
of resulting error-control information strings (C) and 
resulting values of said decision bit (F), all said 
resulting error-control information strings (C) being 
merged to be transmitted from said first station (A) 
to said second station (B) in one message, and all 



said resulting values of said decision bit (F) being 
merged to be transmitted from said second station 
(B) to said first station (A) in one message. 

The invention also contemplates a cryptograph- 
5 ic system for performing the above defined meth- 
od, comprising a first and a second cryptography 
station (A,B), 

o each station (A t B) comprising 

- a respective transmitter and a respective 
w receiver capable of mutually transferring 

information strings over respective error- 
free public channels, and 

- a storage means for storing respective 
strings of digits (S At S B ,G A ,G B ), 

75 o the first station (A) further comprising 

- a string compressor having inputs respec- 
tively connected to an output of the re- 
spective storage means and to an output 
of the respective receiver, and having an 

20 output connected to an input of the re- 

spective storage means, and 

- an encoder having an input connected to 
said output of the respective storage 
means and an output connected to an 

25 input of the respective transmitter, 

o and the second station (B) further comprising 

- a decoder having an input connected to an 
output of the respective receiver and to an 
output of the respective storage means, 

30 - a string compressor having an input con- 

nected to an output of the decoder and an 
output connected to an input of the re- 
spective storage means, and 

- a reliability estimator having inputs each 
35 respectively connected to said outputs of 

the decoder, the respective receiver and 
the respective storage means, and having 
an output connected to a further input of 
the string compressor and to an input of 
40 the respective transmitter. 

Preferably, said decoder and said reliability 
estimator may be merged into a single device. 

Also preferably, when, to perform the method 
of the invention, a random string is used as defined 
45 above, the first station {A) further comprises a 
random generator whose output is connected to a 
further input of the respective string compressor 
and to a further input of the encoder. 

The method of the invention as defined above 
so is novel. No prior art cryptographic system can 
achieve this (see e.g. A.D. Wyner, "The wire-tap 
channel", Bell Syst. Tech. J., vol. 54, no. 8, pp. 
1355-1387, Oct. 1975, and C.H. Bennett, G. Bras- 
sard and J.-M. Robert, "Privacy amplification by 
55 public discussion", SIAM J. Comput., vol. 17, no. 2, 
April 1988, pp. 210-229). 

The significance of the present invention is that 
it allows to achieve unconditional security under 
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realistic assumptions about the eavesdropper, 
whereas in prior art methods the security could be 
proved only under generally unrealistic assump- 
tions about the eavesdropper. 

A noisy broadcast channel of the above type 
may be created by using an optical fiber. Since the 
received signal power can be monitored and com- 
pared to the transmitter's signal power, an eaves- 
dropper extracting more than a certain fraction of 
the signal power can be detected. Thus an upper 
bound on the quality of the eavesdropper's channel 
is known. 

Another possible method for providing received 
strings having the above described properties con- 
sists in broadcasting the output of a random gener- 
ator. For example, the signal transmitted by a sat- 
ellite is corrupted by noise when received on the 
earth, and the noise for three different receivers at 
three different locations is different. 

By way of example, a situation is considered in 
which A can transmit binary digits to B over a noisy 
channel with a bit error probability of 30 %. E is 
assumed to receive the bits transmitted by A with a 
bit error probability of only 20 %, where the errors 
are assumed to be independent, i.e. the probability 
that E receives an error is assumed to be indepen- 
dent of B receiving an error or not. It should be 
noted that E actually receives the random bits 
transmitted by A more reliably than B. 

In the exemplary situation defined above, A 
transmits a string of random bits which is grouped 
both by A and B into blocks of a certain length. For 
each received block, B transmits back to A, over a 
communication channel (e.g. a telephone line or a 
radio channel) which is error-protected but need 
not be protected against eavesdropping, an amount 
of error-control information sufficient to allow A to 
make a reliable decision about ffs block. The 
amount of error-control information is chosen such 
that it allows to correct 30 % errors in a block, but 
such that not much more than 30 % errors can be 
corrected. On the other hand, E knows &s received 
string with a bit error probability of 38 %, i.e. less 
reliably than A, although E knows A's string more 
reliably than B. The reason is that Fs and E?s 
received bits agree only when the two channels 
from A to B and from A to E either both introduce 
no error (which has a probability of 0.7*0.8 = 0.56) 
or both introduce an error (which has a probability 
of 0.3'0.2 = 0.06). The sum of these two probabil- 
ities is 0.56 + 0.06 = 0.62 = (1-0.38). The error-con- 
trol information sent back by B to A and assumed 
to be intercepted by E is therefore not sufficient for 
E to correct the errors. A and B can hence com- 
pute some linear combinations of the bits stored by 
B and also known to A with high probability in 
order to generate a secure cipher key about which 
E only can have an arbitrarily little amount of 
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information in Shannon's sense (see R.G. Gallager, 
quoted above). 

Specifically, a situation is considered in which 
each of two parties initially possesses a stored 

5 string of digits from some alphabet. The strings 
have some similarity, i.e., the mutual information 
between the two strings is positive (see R.G. Gal- 
lager, quoted above, for a definition of mutual in- 
formation). For instance, these strings are binary, 

10 and corresponding bits have a given probability to 
agree in their values. An eavesdropper is assumed 
to possess a third string of digits whose mutual 
information with each of the parties' strings may be 
positive. 

75 In such a case, the invention provides cryp- 

tographic protocols which allow the two parties to 
generate a mutual secure random cipher key such 
that, at the end of the protocol, the amount of 
information which the eavesdropper has about this 

20 secret key is arbitrarily small. Subsequently, the 
parties may use such a secure cipher key to enci- 
pher and decipher messages either by using the 
unconditionally secure one-time pad mentioned 
above (see G.S. Vernam, quoted above) or by 

25 using a conventional cryptographic system incor- 
porating a secret key. When the protocol is per- 
formed, communication between the parties is es- 
tablished by means of a communication channel 
which is error-free, i.e. sufficiently well protected by 

30 error-correcting codes, and assumed to be per- 
fectly accessible for the eavesdropper. The total 
information possessed by the eavesdropper at the 
end of the protocol thus consists of the string given 
initially and the messages exchanged between the 

35 parties when the protocol is performed. Because 
the eavesdropper has virtually no information about 
the secret key shared by the parties, unconditional 
security can be achieved. 

Diffie and Hellman (see US-A-4200770) have 

40 proposed another system which also allows two 
parties to generate a mutual cipher key by ex- 
changing messages over a completely insecure 
channel. However, the security of this system is 
based on the infeasibility of solving a certain prob- 

45 lem in number theory, which infeasibility is un- 
proven. Hence, the security of the Diffie and Hell- 
man system can be at most conditional rather than 
unconditional. 

The invention will now be described in closer 

so detail in the following, with reference to the accom- 
panying drawing in which the single Figure is a 
block diagram of a cryptographic system according 
to the invention in a particular and exemplary em- 
bodiment thereof. 

55 The Figure shows a cryptographic system hav- 

ing two cryptography stations A and B. 

In this cryptographic system, a procedure 
known as "maximum-likelihood decoding" is used, 
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which is defined in the following. 

In the theory and practice of communications, 
a problem which often occurs is that of making an 
optimal reliability decision about a transmitted sig- 
nal &, based on the information V that was received 
(incidentally, this received information may consist 
of several parts of information which may have 
been received from different sources). 

Accordingly, U and V denote random variables 
which can take on respective specific values 
U\ t Lk,. and Vi Ife,..., V|,... with respective prob- 
abilities P(0=U,),P(&=U>) P(&=y),.~ and P- 

(V= Vi),P(V= V 2 ) ,P(V= Vj),...^More particularly, 

the pair of random variables (&,V) takes on the 
value (t/,Vj) with a probability P(V= V it U=Ui). 

Loosely speaking, the resulting decoding prob- 
lem is solved by selecting, from the set of possible 
transmitted signals {(A ,(£■—}• that particular value 
Lh of the list of values (Vi.lfe,... which is most 
consistent with the particular received information 
V. More precisely, the decoding problem is solved 
by minimizing the probability of making a wrong 
decision. Still more precisely, that particular value 
Lh is selected for which the conditional probability 
is maximized that the transmitted signal U is equal 
to the particular value U, given that the received 
information V is equal to the particular received 
value of the list of values Vi ,V2,... This probabil- 
ity, denoted P(&= Lh\V= Vj), is a function which 
assigns a number to every pair (M.vj) of values for 
the random variables U and V. Generally, for dif- 
ferent values of H and this number is different. 
When all possible transmitted signals have the 
same probability of being selected, it can be shown 
that the above decoding rule is equivalent to se- 
lecting the value U % which maximizes the con- 
ditional probability P( V= V$= M). This decoding 
strategy is known as "maximum-likelihood decod- 
ing" (for a more detailed explanation of maximum- 
likelihood decoding and other decoding strategies, 
see S. Lin and D.J. Costello, "Error Control Coding: 
Fundamentals and Application", Englewood Cliffs, 
N.J.:Prentice Hall Inc., 1983). 

In the cryptographic system shown in the Fig- 
ure, stations A and B each have stored therein, in a 
respective storage means STA and STB, a respec- 
tive string S A and S B of digits selected from a finite 
alphabet, the strings S A and S B being statistically 
dependent on each other in a predetermined man- 
ner. The strings S A and S B may for instance have 
been received from some source and then stored 
in the respective storage means STA and STB. 

By way of example, the two strings S A and S B 
could be binary and known to agree in a certain 
fraction (e.g. 80 %) of their bits. Such a situation 
would arise when a random string is transmitted 
from station A to station B (or from station B station 
A) over a noisy channel with an error probability of 



20 %. 

Station A generates an error-control information 
string C from string S A by means of an encoder 
ENC. In the particular embodiment described, the 

5 error-control information string C consists of a se- 
quence of parity check bits for the bits of Sa, where 
each parity check bit is the sum modulo 2 of 
subsets of the bits of S A . This corresponds to the 
use in the encoder ENC of a systematic linear 

10 block code (see R.E. Blahut, "Theory and practice 
of error control codes", Reading, MA:Addison-Wes- 
ley, 1984) so that the error-control information 
string C only consists of that part of the code word 
which is not equal to S A , i.e. string C consists only 

75 of the parity check bits rather than the entire code 
word. String C is then transmitted by means of a 
transmitter TRA of station A to a receiver REB of 
station ffs over an error-free public channel CH1. 
Station B has a decoder DEC for the chosen 

20 error-correcting code, which decoder DEC uses as 
inputs strings the particular stored string S B and 
the particular error-control information string C to 
generate that particular string D which maximizes 
the conditional probability P($ A = D\S B = S B £= Q 

25 that a random variable S A corresponding to string 
S A is equal to string D, given the conditions that a 
random variable § s corresponding to string S B is 
equal to that latter string S B and a random variable 
£ corresponding to said error-control information 

30 string C is equal to that latter string C. In this 
context, it should be understood that 5* 5 b and S 
denote random variables which can in principle 
take on different values, and that S B and C 
denote particular values which are taken on by 

35 these random variables in the considered case. 

When all possible strings $ A have the same 
probability, i.e., when the string S A is a completely 
random string, then it is equivalent to select string 
D according to the "maximum-likelihood decoding" 

40 rule, i.e. so as to maximize the conditional probabil- 
ity P(1> s = S B ,S= C\S A =D) that a random variable § B 
corresponding to string S B is equal to that latter 
string S B and a random variable £ corresponding to 
said error-control information string C is equal to 

45 that latter string C, given the condition that a ran- 
dom variable 3* corresponding to string $ A is equal 
to string D. In this case, as it appears that for all 
strings D which are not consistent with string C the 
conditional probability P(£ s = S s ,£= =D) is 

so zero, it is equivalent to the "maximum-likelihood 
decoding" rule to select string 0, among all strings 
whose encoded error-control information is equal to 
string C, as that particular string which maximizes 
P(£ 8 = Sa|3* = D). For short, string D is station ETs 

55 best possible guess about which string S A is stored 
in station A. 

It should be noted that the conditional probabil- 
ities for different values of string D need not nec- 
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essarily be computed in order to find the best 
string D. In many applications, a simple decoding 
procedure will guarantee that the resulting string D 
maximizes the conditional probability P- 

(S a = D|§ b = Sb,£=C). 

In station B, a reliability estimator RES whose 
input consists of strings C, D and S B is used to 
estimate the reliability of the decision, i.e., the 
conditional probability P(§ A = 0|S B = 5 a ,d= C) that 
the guess D = §a is correct, given that 5 S = S B and 
S=C. The reliability estimator RES outputs a de- 
cision bit F such that F=1 if and only if the 
estimated reliability is sufficient, i.e. if the con- 
ditional probability is greater than a predetermined 
threshold, else F = 0. 

The value of bit F is then transmitted by means 
of a transmitter TRB of station B to a receiver REA 
of station A over an error-free public channel CH2. 
It should be noted that in many cases a 
"maximum-likelihood decoder" can be implement- 
ed which need not compute any probabilities ex- 
plicitly, and which directly outputs the decision bit 
F. In this case, the decoder DEC and the reliability 
estimator RES can be merged into a single device 
which could then be represented in a block dia- 
gram as one block that takes as inputs C and S B 
and generates as outputs D and F. 

It should also be noted that in many applica- 
tions the above mentioned probabilities are known 
only approximately, in which case the decoding 
and the reliability decision are based on these 
approximations of the probabilities rather than the 
actual probabilities. In other words, a system is 
usually implemented for fixed assumed approxima- 
tions of the probabilities, and is independent of the 
actual probabilities, which may also change during 
the time period in which the system is used. 

When the output of reliability estimator RES is 
F= 1 , a string compressor SCB of station B is used 
to generate from input D a string G B which is 
shorter than D. String G B may consist of some 
linear combinations of the digits of D. Station A 
uses an identical string compressor SCA with input 
S A to obtain a string G A . While the probability that 
G A = G e is at least as great as the probability that 
D = S A , the object of this compression is to reduce 
the eavesdropper's information about the respec- 
tive string G A or G B when compared to his respec- 
tive information about S A or S B . The respective 
strings G A and G A are stored in the storage means 
STA and STB of the respective stations A and B. 

It should be noted that instead of performing 
an estimation of station As string S A and a string 
compression on this estimated string D, station B 
can alternatively estimate directly the compressed 
string G A . In this case, station Bs guess about 
station A's compressed string G A is that string D 
which maximizes the conditional probability P- 



(S A = D|5 B = Se,&= C) that a random variable cor- 
responding to the compressed string G A is equal to 
the particular string D, given the condition that a 
random variable § B corresponding to string S B is 

5 equal to that latter string $ B and a random variable 
£ corresponding to the error-control information 
string C is equal to that latter string C. 

The above described protocol is repeated sev- 
eral times for independent stored strings S A and 

10 S B , and in both stations A and B there are selected, 
compressed and stored those respective strings G A 
and G B for which the reliability estimator RES of 
station B has decided that they are sufficiently 
reliable. 

75 Instead of repeatedly performing the protocol 

as described above, the error-control information 
for the independent strings also may be transmit- 
ted by station A all at once, and the reliability 
decisions then are also transmitted back from sta- 

20 tion B to station A in one message. In this case, 
station A groups the string S A into a plurality of 
subblocks. transmits error-control information for 
every subblock, and station B makes an individual 
reliability decision about every subblock. At the 

25 end of this protocol, stations A and B both possess 
a string consisting in the concatenation of the com- 
pressed selected subblocks. 

Depending on the reliability threshold used in 
the reliability estimator RES, the two strings G A and 

30 G B stored in the respective stations A and B may 
be identical with a high probability, or they may still 
differ with a certain non-negligible digit error prob- 
ability. In the latter case, stations A and 0 repeat 
the same protocol, where S A and S B are replaced 

35 by the new respective strings G A and G B , and 
where a different error-correcting code may be 
used if desired. 

The protocol is repeated a number of times 
sufficient to ensure that the two strings G A and G B 

40 stored in stations A and B agree with an overwhel- 
mingly high probability. 

The purpose of the protocol described above is 
to send error-control information and compress the 
strings stored in stations A and B in such a manner 

45 that the reliability of the compressed strings G A and 
G B is increased. Clearly, the reliability of an eaves- 
dropper's string may increase as well, but only to a 
smaller extent. To attain the desired result that the 
eavesdropper should possess only arbitrarily little 

so information, it may be necessary for stations A and 
B at some stages of the protocol to only compress 
the stored strings without sending error-control in- 
formation, in order to decrease the reliability of the 
eavesdropper's stored string. Clearly, such a com- 

55 pression step also decreases the reliability of the 
respective compressed strings G A and G B stored in 
stations A and £?, but in general only to a smaller 
extent. By means of successive applications of 
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reliability increasing and decreasing steps, stations 
A and B will end up with respective strings G A and 
G B which agree with high probability, whereas the 
eavesdropper's information virtually is statistically 
independent of this random string shared by sta- 
tions A and B. 

As has been said above, a possible method for 
providing received strings which are correlated, i.e. 
statistically dependent on each other, is to use the 
signal transmitted by a satellite. This signal is cor- 
rupted by noise when received on the earth, and 
the noise for three different receivers at three dif- 
ferent locations is different. 

By way of example, a situation is considered in 
which a satellite broadcasts random bits, and sta- 
tions A and B as well as an eavesdropper E re- 
ceive the random bits with a respective error prob- 
ability of 20 %, 20 % and 15 %, where the errors 
are independent of each other. It may be noted that 
in this example E actually receives the bits more 
reliably than both A and B. Nevertheless, A and B 
can generate an unconditionally secure random 
cipher key as described in the following. 

Each station A and B groups the received 
random strings (whose bits disagree with a bit error 
probability 1-0.8* 0.8-0.2*0.2 = 0.32) into blocks of 
5 bits. For every received block S A = - 
[Si ,S2,S3,S4,S5], station A transmits to station B 
over the error-free public channel the error-control 
information string C = [S\ , + $2 ,$1 ,$3 ,Si + $4 , Si + $s ] 
consisting of 4 parity check bits. As mentioned 
above, addition of binary digits is defined as addi- 
tion modulo 2. Station B accepts a block as suffi- 
ciently reliable if and only if the 4 parity check bits 
received from station A agree with the correspond- 
ing parity check bits of string C = [U + f 2 ,fi + *3, 
U+U,h+ts] for the block S B = [fi ,*2,f3,fc.*s] of 
station B. In other words, the decoder and reliability 
estimator are implemented together as a parity 
checker for S B and a comparator for these com- 
puted parity check bits C and received parity 
check bits C. Thus, the decision bit F is assigned 
the value 1 when the error-control information 
string C received in station 0 is equal to the auxil- 
iary error-control information string Ccomputed in 
station B for string S B in the same manner as the 
error-control information string C has been com- 
puted in station A for string S A . When a block is 
accepted, stations A and B both store as the com- 
pressed string the single bit which is the sum of 
the five bits, i.e., string G A = Si +S2 +s 3 +s* +S5 is 
stored in station A and string 
G B = fi + t 2 + h + U + h is stored in station B. 

The parity check bits agree if and only if the 
blocks S A and S B are either equal, which occurs 
with a probability (0.68) 5 =0.1454, or if they dis- 
agree in every single bit, which occurs with prob- 
ability (0.32) 5 = 0.00336. The probability that a 



block is accepted is thus equal to 
0.1454 + 0.00336 = 0.1487 and the probability that 
the bits G A and G B disagree for an accepted block 
is equal to 0.00336/0.1487 = 0.0225 (i.e. 2.25 %). 

5 The eavesdropper's decision about the transmitted 
bit is wrong when 3 or more errors are contained in 
his received block of 5 bits. In a similar but more 
tedious manner it may be shown that the eaves- 
dropper's optimal guess about the bit G A is bound 

10 to be wrong with a probability of at least 6.15 %. At 
the end of this first round of the protocol, stations A 
and B each possess a random string whose ex- 
pected length is 0.1487/5 = 0.0297 times the length 
of the originally received random string and whose 

75 bits agree with a probability of 97.75 %. 

More precisely, the bits resulting from this re- 
liability increasing protocol appear to stations A 
and B and to the eavesdropper E as if they had 
been received from a random bit source over three 

20 independent channels having respective bit error 
probabilities of 1.141 %, 1.141 % and 5.125 %. 
Incidentally, the cascade of two channels having 
respective bit error probabilities of 1.141 % and 
5.125 % is equivalent to a single channel having a 

25 bit error probability of 6.15 %, which is exactly the 
eavesdropper's bit error probability indicated 
above. 

By now compressing the stored string further 
by adding 8 bits at a time to form a new shared bit, 

30 the reliabilities of the bits of the new string are 
reduced. These bits appear to stations A and B 
and to the eavesdropper E as if they had been 
received from a random bit source over three in- 
dependent channels having respective bit error 

35 probabilities of 1 -(1 -0.01 1 41 ) 8 = 0.0843 = 8.43 %, 
8.43 % and 1-(1 -0.051 25) 8 =0.2895= 28.95 %. 

Stations A and B can now perform again the 
same reliability increasing protocol as described 
above, namely, station A can send to station B 4 

40 parity check bits for every block of 5 shared bits 
resulting from the previously performed protocol, 
and stations A and B can store the sum of the 5 
bits of each block. This results in bits which appear 
to stations A and B and to the eavesdropper E as if 

45 they had been received from a random bit source 
over three independent channels having respective 
bit error probabilities of 0.01 %, 0.01 % and 15.4 
%. By now adding 10 of these bits at a time, 
stations A and B end up with resulting new bits 

50 which agree with a probability of 99.8 %, whereas 
the eavesdropper Ps computed bits disagree with 
a probability of 48.74 %. Such an error probability 
corresponds to the eavesdropper E having only 
0.00046 bits of information (see R.G. Gallager, 

55 quoted above) rather than the entire 1 bit of in- 
formation about every bit shared by stations A and 
B. This eavesdropper's amount of information is 
negligible. 
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If desirable, the eavesdropper's information 
about the final string shared by A and B could be 
even further reduced to an arbitrarily small amount 
by further compressing this shared string. It should 
be noted that in order to compute the amount of 
the eavesdropper's information, one must take into 
account that the eavesdropper need not necessar- 
ily make an optimal decision about the bits shared 
by A and B at each step of the protocol, as has 
been assumed in the analysis given in the above 
example, he can rather base his final decision on 
all the information he received during the entire 
performing of the protocol. Such an analysis of the 
described protocol for a given sequence of protocol 
steps is complicated but feasible. However, for 
performing the protocol it is not required to analyze 
it in such manner. 

Thus, the present invention allows stations A 
and B to perform a protocol at the end of which 
they each possess the same shared random string. 
This protocol is such that an eavesdropper, even 
being given access to all messages exchanged 
between A and B and having unrestricted comput- 
ing power, still cannot determine the string shared 
by A and B, or even such that the eavesdropper 
gets only arbitrarily little information in Shannon's 
sense (see R.G. Gallager, quoted above) about 
said shared string. 

In a particular embodiment of the invention, 
when the protocol performed by stations A and B is 
repeated, i.e. performed a predetermined number 
of times in succession, stations A and B may 
exchange their respective roles with each other one 
or several times. 

In another particular embodiment of the inven- 
tion, the encoder may use as a second input the 
output string R of a random generator RAN, the 
connections of which are shown in the Figure in 
dashed lines. In this case, the string D is an es- 
timate not only of string S A but of a concatenated 
string, denoted S A #fl, resulting from the concatena- 
tion of strings S A and R and stored in station A. 
Accordingly, in station B the decoder DEC selects 
that string D which maximizes the conditional prob- 
ability P(l A #fl = D|§8 = S e ,£=C), wherein R denotes 
a random variable corresponding to the actual 
string R output by the random generator RAN in 
station A, and P($ A #ft = 0^8 = S B £ = Q is the con- 
ditional probability that a random variable 
corresponding to the concatenated string S A #R is 
equal to the particular string O, given the conditions 
that a random variable % B corresponding to string 
S B is equal to that latter string S B and a random 
variable C corresponding to the error-control in- 
formation string C is equal to that latter string C. 

It leads to an equivalent result to select string 
D, among all decoded strings whose encoded 
error-control information is equal to the actual 



error-control information C, as that string which 
maximizes the conditional probability P- 
($ A #7}=D\5 B = S B ). 

One example of using randomization is to 

5 choose a random string R, encode it into a code 
word of the same length as S A and then transmit 
the bit by bit sum modulo 2 of S A and the code 
word over the public channel. A receiver can re- 
cover the random string R if and only if the fraction 

io of errors in its version of the string S A is sufficiently 
small to be corrected by a decoder for the code. 
Accordingly, in station B the decoder selects that 
string D which maximizes the conditional probabil- 
ity P(ff=D|§ B = S e ,£=C) that a random variable R 

15 corresponding to the random string R is equal to 
the particular string D, given the condition that a 
random variable § e corresponding to string S B is 
equal to that latter string S B and a random variable 
£ corresponding to the error-control information 

20 string C is equal to that latter string C. In this case 
the compression transformation is applied by sta- 
tion A to string R and by station B to string D. 

Several generalizations of the described em- 
bodiment may be contemplated. 

25 Other codes than the ones described can be 

used, including any systematic or non-systematic 
linear block codes such as Hamming codes, Golay 
codes, Reed-Solomon codes, Bose-Chaudhuri-Hoc- 
quenghem codes, Reed-Muller codes, Goppa 

30 codes, etc., or convolutional codes. Non-systematic 
codes make sense when a random generator string 
R is used in the encoding process. A description of 
these codes and of procedures for decoding them 
is given by R.E. Blahut (quoted above) or in avail- 

35 able textbooks on error-correcting codes. The tech- 
niques of using error-correcting codes is state of 
the art. 

As mentioned above, the decoder DEC and 
reliability estimator RES can be merged into one 

40 device (which could be represented by one block 
of the block diagram and realized as one functional 
sub-station), since many decoding procedures can 
be adapted to also provide reliability information. 
The reliability estimator RES may also be elimi- 

45 nated in case every decoded block should be 
accepted. Clearly also, in case the decision bit F 
always has the value 1 it would not be necessary 
to transmit it from station B to station A. 

If the amount of information which the eaves- 

50 dropper has about the random secret cipher key 
shared by stations A and B is still too high, stations 
A and B can further reduce the eavesdropper's 
information using a protocol due to Bennett, Bras- 
sard and Robert (see C.H. Bennett, G. Brassard 

55 and J.-M. Robert, quoted above) based on univer- 
sal hashing, thereby further reducing the length of 
the shared key. 

When station A is connected to a noisy broad- 
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cast channel to transmit information to station B, 
the transmitted string need not necessarily be ran- 
dom. Instead, an error-correcting code may be 
used in station A to encode randomly selected 
information blocks and then the corresponding 
code words are transmitted. In station B % reliability 
decisions can then be made directly on the de- 
coded blocks, which are transmitted back to station 
A in the described way. 

Similarly, the string broadcast by a transmitter 
(e.g. in a satellite) could be a random string en- 
coded with some error-correcting code. In both 
stations A and B individual reliability decisions can 
then be made in a first step and the public channel 
be used in this first step only to reach agreement 
on positions of blocks which both have been re- 
ceived with sufficiently reliability. 

Also, the compression performed by stations A 
and B may be publicly agreed by stations A and B 
over the public channel before or after the error- 
control information string has been transmitted, 
rather than being performed according to predeter- 
mined and fixed rules. For instance, only after the 
error-control information string has been transmit- 
ted, stations A and B will decide (e.g. station A will 
decide and inform station B over the public chan- 
nel) which parity check bits must be computed and 
used. 

It will be understood that the above described 
embodiments are but examples from which it is 
possible to deviate without departing from the 
scope of the invention as defined in the appended 
claims. 

Claims 

1. A method of generating a cipher key based on 
information difference in a cryptographic sys- 
tem comprised of at least a first and a second 
cryptography stations, said method comprising 
the steps of 

- storing, in said first and second stations 
(A,B), a respective string (S A ,S B ) of digits 
selected from a finite alphabet, 

- in said first station (A), generating an 
error-control information string (C) from 
the respective string {S A ) stored in said 
first station (A), 

- transmitting said error-control information 
string (C) from said first station (A) to 
said second station (B) over an error-free 
public channel CH1, 

- in said second station (S), generating a 
particular string (D) and a decision bit (F) 
representative of a reliability estimate, 
said particular string (D) being that string 
which maximizes a predetermined reli- 
ability function of a string combination 
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(S B ,C,D) consisting of said string (S e ) 
stored in said second station (6), said 
error-control information string (C) and 
said particular string (D), and said de- 

5 cision bit (F) being assigned the value 1 

if and only if, when said predetermined 
reliability function is maximized as said 
above, a maximum value taken on by 
said predetermined reliability function is 

to greater than a predetermined threshold, 

said decision bit (F) else being assigned 
the value 0, 

- transmitting said value of said decision 
bit (F) from said second station (B) to 

75 said first station (A) over an error-free 

public channel CH2, 

- in said first and second stations (A,B), 
tagging as accepted said respective 
strings {S A> S B ) stored in said first and 

20 second stations (A t B) when said decision 

bit (F) has the value 1 , 

- performing the above sequence of steps 
a predetermined number of times to re- 
sult in a corresponding plurality of 

25 tagged strings, and 

- at said first and second stations {A f B}, 
concatenating said tagged strings {S A ,S B ) 
to result in a random cipher key shared 
by said first and second stations (A,B). 

30 

2. The method of claim 1 , in which said predeter- 
mined reliability function is defined as a con- 
ditional probability P(§^ = D|§ S = S S ,£= Q that a 
random variable (§a) corresponding to said 

35 string (S A ) stored in said first station (A) is 

equal to said particular string (D), given the 
conditions that a random variable (5 e ) cor- 
responding to said string (S B ) stored in said 
second station (B) is equal to that latter string 

40 (S B ) and a random variable (C) corresponding 

to said error-control information string (Q is 
equal to that latter string (C). 

3. The method of claim 1, in which, in said first 
45 station (A), a random string (R) is generated 

and then a concatenation is performed on said 
string (S A ) stored in said first station (A) and 
said random string (R) to result in a concat- 
enated string (S A #R) which is substituted for 
50 said string ($ A ) stored in said first station (A) 

when said error-control information string (C) is 
generated, so that said error-control informa- 
tion string (C) is generated from said concat- 
enated string (S A #R). 

55 

4. The method of claim 3, in which said predeter- 
mined reliability function is defined as a con- 
ditional probability P($ A #ft = D|§ 8 = S S ,S = Q 
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that a random variable corresponding to 

said concatenated string (S A #R) stored in said 
first station (A) is equal to said particular string 
(D), given the conditions that a random variable 
(§s) corresponding to said string <S S ) stored in 5 
said second station (B) is equal to that latter 
string ($ B ) and a random variable (C) cor- 
responding to said error-control information 
string (C) is equal to that latter string (C), and 
said decision bit (F) is assigned the value 1 if w 
and only if said conditional probability P- 
($ A #ft = D\5 B = S B £=C) is greater than a pre- 
determined threshold. 

The method of claim 4, in which said error- is 
control information string (C) is generated by 
first encoding said random string (R) to result 
in an encoded string and then adding digit by 
digit said encoded string and said string (S A ) 
stored in said first station (A), and said pre- 20 
determined reliability function is defined as a 
conditional probability P(R-D\S B = S B ,£=C) 
that a random variable (R) corresponding to 
said random string (ft) is equal to said particu- 
lar string (D), given the condition that a random 25 
variable ($ B ) corresponding to said string (S B ) 
stored in said second station (B) is equal to 
that latter string (S B ) and a random variable (5) 
corresponding to said error-control information 
string (C) is equal to that latter string (C). 30 

The method of any of claims 1 or 2, in which, 
when said decision bit (F) has the value 1, a 
string compression is performed in said first 
station (A) on said string (S A ) stored therein to 35 
result in a first compressed string (G A ) which is 
then stored in said first station (A). 

The method of claim 6, in which the sequence 
of steps is repeated at least once, and in said 40 
repeated sequence said predetermined reliabil- 
ity function is defined as a conditional probabil- 
ity P(S A = D\$b = S B ,5 = C) that a random vari- 
able (S A ) corresponding to said first com- 
pressed string (G A ) is equal to said particular 45 
string (D), given the condition that a random 
variable (§ s ) corresponding to said string ($ B ) 
stored in said second station (B) is equal to 
that latter string (S B ) and a random variable (6) 
corresponding to said error-control information 50 
string (C) is equal to that latter string (C). 

The method of claim 6, in which, when said 
decision bit (F) has the value 1, a string com- 
pression also is performed in said second sta- 55 
tion (fl) on said particular string (D) to result in 
a second compressed string (G s ) which is then 
stored in said second station (B). 



9. The method of claim 8, in which identical 
string compressions are performed in said first 
station (A) on said string (S A ) stored therein to 
result in a first compressed string (G A ) which is 
then stored in said first station (>A) and in said 
second station (B) on said particular string (D) 
to result in a second compressed string (G B ) 
which is then stored in said second station (B). 

10. The method of claim 5, in which, when said 
decision bit (F) has the value 1 , identical string 
compressions are performed in said first sta- 
tion (A) on random string (R) to result in a first 
compressed string (G A ) which is then stored in 
said first station {A) and in said second station 
(B) on said particular string (D) to result in a 
second compressed string (G B ) which is then 
stored in said second station (£7). 

11. The method of any one of claims 6 to 10, in 
which compression of a string of digits is de- 
fined as generating a compressed string con- 
sisting of digits, each of which is a linear 
combination of digits of said string subjected 
to compression. 

12. The method of any one of claims 1 to 11, in 
which said error-control information string (C) 
is generated as a string consisting of digits, 
each of which is a linear combination of digits 
of said string (S A ) stored in said first station 
(A). 

13. The method of any one of claims 1 to 12, in 
which ail strings are binary strings. 

14. The method of any one of claims 11 or 12, in 
which all strings are binary strings consisting 
of a set of bits, and said linear combination of 
digits is defined as a sum modulo 2 of the bits 
comprised in a subset of said set of bits. 

15. The method of claim 14, in which both said 
strings (S A ,S B ) respectively stored in said first 
and second stations (A,B) have a predeter- 
mined number N of bits, said error-control in- 
formation string (C) consists of a number N-1 
of parity check bits, and compression of a 
string is defined as replacing the latter string 
by a single bit which results from said linear 
combination being applied to all bits of the 
latter string. 

16. The method of claim 15, in which said decision 
bit (F) is assigned the value 1 when said error- 
control information string (C) received in said 
second station (B) is equal to an auxiliary 
error-control information string (C) computed 
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in said second station (B) for said string (S e ) 
stored in said second station (B) in the same 
manner as said error-control information string 
(C) is computed in said first station (A) for said 
string (S A ) stored in said first station (A). 

17. The method of any one of claims 1 to 16, in 
which the sequence of steps is performed a 
predetermined number of times in succession. 

18. The method of claim 17, in which each of said 
strings (S A ,S B ) respectively stored in said first 
and second stations (A,B) is a result of a 
previously performed sequence of steps. 

19. The method of claim 18, in which each of said 
strings (S A ,S B ) respectively stored in said first 
and second stations (A,B) is a result (G Ai G B ) of 
a previously performed sequence of steps in- 
cluding a string compression performed in said 
first station (A) on said string {S A or H) stored 
therein to result in a first compressed string 
{G A ) which is then stored in said first station (A) 
and in said second station {B) on said particu- 
lar string (D) to result in a second compressed 
string (G s ) which is then stored in said second 
station (8). 

20. The method of any one of claims 17 to 19, in 
which said first and second stations (A,B) ex- 
change their respective roles when the se- 
quence of steps is repeated. 

21. The method of any one of claims 1 to 16, in 
which the sequence of steps is simultaneously 
performed a predetermined number of times in 
parallel, resulting in a same predetermined 
number of resulting error-control information 
strings (C) and resulting values of said de- 
cision bit (F). all said resulting error-control 
information strings (C) being merged to be 
transmitted from said first station (A) to said 
second station (B) in one message, and all 
said resulting values of said decision bit {F) 
being merged to be transmitted from said sec- 
ond station (fl) to said first station (A) in one 
message. 

22. A cryptographic system for performing the 
method of claim 1, comprising a first and a 
second cryptography station (A,B), 

• each station (A,B) comprising 

- a respective transmitter (TRA,TRB) 
and a respective receiver (REA.REB) 
capable of mutually transferring infor- 
mation strings over respective error- 
free public channels (CH1.CH2), and 

- a storage means (STA,STB) for stor- 
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ing respective strings of digits 
(S A ,S B ,G Al G B ), 

• the first station (A) further comprising 

- a string compressor (SCA) having in- 
puts respectively connected to an out- 
put of the respective storage means 
(STA) and to an output of the respec- 
tive receiver (REA), and having an 
output connected to an input of the 
respective storage means (STA), and 

- an encoder (ENC) having an input 
connected to said output of the re- 
spective storage means (STA) and an 
output connected to an input of the 
respective transmitter (TRA), 

• and the second station (B) further com- 
prising 

- a decoder (DEC) having an input con- 
nected to an output of the respective 
receiver (REB) and to an output of the 
respective storage means (STB), 

- a string compressor (SCB) having an 
input connected to an output of the 
decoder -(DEC) and an output con- 
nected to an input of the respective 
storage means (STB), and 

- a reliability estimator (RES) having in- 
puts each respectively connected to 
said outputs of the decoder (DEC), the 
respective receiver (REB) and the re- 
spective storage means (STB), and 
having an output connected to a fur- 
ther input of the string compressor 
(SCB) and to an input of the respec- 
tive transmitter (TRB). 

23. A cryptographic system according to claim 22, 
in which said decoder (DEC) and said reliabil- 
ity estimator (RES) are merged into a single 
device. 

24. A cryptographic system according to claim 22 
for performing the method of claim 3, in which 
the first station (A) further comprises a random 
generator (RAN) whose output is connected to 
a further input of the respective string com- 
pressor (SCA) and to a further input of the 
encoder (ENC). 
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